Skip to content

Cisco Umbrella DNS

Cisco Umbrella DNS

About

Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so you can extend data protection to devices, remote users, and distributed locations anywhere.

Product Details

Vendor URL: Cisco Umbrella DNS

Product Type: DNS Security

Product Tier: Tier I

Integration Method: Amazon S3 Bucket

Integration URL: Cisco Umbrella Integration - Cyderes Documentation

Parser Details

Log Format: Syslog (CSV)

Expected Normalization Rate: 100%

Data Label: UMBRELLA_DNS

UDM Fields:

Log File Field UDM Field
Cisco (static) metadata.vendor_name
Umbrella DNS (static) metadata.product_name
DNS request and response were made (static) metadata.description
custom filter principal.hostname
custom filter principal.ip
custom filter principal.nat_ip
custom filter security_result.category_details
custom filter security_result.action
custom filter security_result.action_details
DNS (static) network.application_protocol
custom filter network.dns.questions.name
custom filter network.dns.questions.type
custom filter additional.fields
custom filter about.labels

Product Event Types

Event UDM Event Classification
with network.dns.questions NETWORK_DNS
missing network.dns.questions GENERIC_EVENT

Log Sample

"2023-02-28 15:18:40","hostname1","hostname1","10.10.0.1","30.30.30.3","Allowed","1 (A)","NOERROR","api.hostname.com.","Search Engines,Allow List,Search Engines and Portals","Roaming Computers","Roaming Computers","Allow List"

Sample Parsing

metadata.event_type = "NETWORK_DNS"
metadata.vendor_name = "Cisco"
metadata.product_name = "Umbrella DNS"
metadata.description = "DNS request and response were made."
additional.fields["dns_return_message"] = "NOERROR"
additional.fields["identities"] = "Roaming Computers"
principal.hostname = "hostname1"
principal.ip = "10.10.0.1"
principal.nat_ip = "30.30.30.3"
about.labels.key = "DNS Lookup Type"
about.labels.value = "A"
security_result.category_details = "Search Engines"
security_result.category_details = "Allow List"
security_result.category_details = "Search Engines and Portals"
security_result.action = "ALLOW"
security_result.action_details = "Allowed"
network.application_protocol = "DNS"
network.dns.questions.name = "api.hostname.com"
network.dns.questions.type = 1